Thanks
System32 Folder
#1
Posted 13 February 2006 - 06:14 AM
Thanks
#2
Posted 13 February 2006 - 06:18 AM
Have you gone to START-->RUN and typed msconfig and clicked on the STARTUP tab in the new window that appears and tried to locate the offending entry and unchecking it?
Fenor
#3
Posted 13 February 2006 - 06:42 AM
Anyone Else? Help would be appreciated.
Thanks
#4
Posted 13 February 2006 - 07:26 AM
Fenor
#5
Posted 13 February 2006 - 07:44 AM
StartupList report, 13/02/2006, 13:40:19
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Oliver\Desktop\hijackthis[1]\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\1134390626\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1134390626\ee\AOLServiceHost.exe
c:\program files\common files\aol\1134390626\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1134390626\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Oliver\Desktop\hijackthis[1]\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
EM_EXEC = C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
SiS KHooker = C:\WINDOWS\System32\khooker.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
VCSPlayer = "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
AOLDialer = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
REGSHAVE = C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
%FP%Friendly fts.exe = "C:\Program Files\Voyager100Test\fts.exe"
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
MessengerPlus3 = "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
HostManager = C:\Program Files\Common Files\AOL\1134390626\ee\AOLHostManager.exe
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\sstext3d.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - (no file) - {e0103cd4-d1ce-411a-b75b-4fec072867f4}
--------------------------------------------------
Enumerating Task Scheduler jobs:
A820747791C3EDA7.job
rundll32.job
Symantec NetDetect.job
--------------------------------------------------
Enumerating Download Program Files:
[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zon...kr.cab28578.cab
[iPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ipixx.ocx
CODEBASE = http://www.ipix.com/viewers/ipixx.cab
[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zon...nt.cab30149.cab
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft....k/?linkid=39204
[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://download.micr...b?1083416686310
[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zon...er.cab28177.cab
[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.syma...bin/AvSniff.cab
[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yaho...s/yinst0401.cab
[PatchInstaller.Installer]
InProcServer32 = C:\WINDOWS\System32\XPPatchInstaller.dll
CODEBASE = file://D:\content\include\XPPatchInstaller.CAB
[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab
[QDiagAOLCCUpdateObj Class]
InProcServer32 = C:\WINDOWS\System32\qdiagcc.ocx
CODEBASE = http://aolcc.aolsvc....kup/qdiagcc.cab
[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.micros...b?1124904825421
[MSSecurityAdvisorCD Class]
InProcServer32 = C:\WINDOWS\System32\mssecucd.dll
CODEBASE = file://D:\Content\include\msSecUcd.cab
[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zon...nt.cab28177.cab
[CamImage Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx
CODEBASE = http://24.120.32.163...sCamControl.cab
[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupd...8089.3312152778
[SassCln Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SassCln.dll
CODEBASE = http://www.microsoft.../20/SassCln.CAB
[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn...pDownloader.cab
[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://messenger.zon...ro.cab30149.cab
[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://us.dl1.yimg.c...utocomplete.cab
[RealArcadeRdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RealArcadeRdxIE.dll
CODEBASE = http://games-dl.real...ArcadeRdxIE.cab
[CBreakshotControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Banksht2.dll
CODEBASE = http://messenger.zon...ot.cab30149.cab
[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.syma...n/bin/cabsa.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab
[{DC187740-46A9-11D5-A815-00B0D0428C0C}]
CODEBASE = http://ds1.downloadt...pcpowerscan.cab
[ZoneChess Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Chess.ocx
CODEBASE = http://messenger.zon...ss.cab30149.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
wininet.dll =
--------------------------------------------------
End of report, 9,910 bytes
Report generated in 0.297 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
#6
Posted 13 February 2006 - 08:05 AM
Here are a couple things you can try:
1.) Please download the file located HERE to somewhere on your computer where you will remember its location. Then find the file on your computer and double-click it to run it. Click YES to the warning: To work correctly, the script will close and restart the Windows Explorer shell. This will not harm your system. Continue?. when it's done, reboot your computer.
2.) Microsoft has a Knowledge Base article, found HERE, that deals with this exact issue.
If neither of these work, then we will try other options, which would include disabling all startup entries that don't need to be run, etc...
REMEMBER TO BACKUP THE REGISTRY BEFORE EDITTING IT WHEN GOING THROUGH THE MICROSOFT KNOWLEDGE BASE ARTICLE!
Fenor
Edited by Fenor, 13 February 2006 - 08:14 AM.
#7
Posted 13 February 2006 - 08:47 AM
Thanks.
Edited by Ollie88, 13 February 2006 - 12:11 PM.
#8
Posted 13 February 2006 - 09:29 PM
- QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
- VCSPlayer = "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
- AOLDialer = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
- REGSHAVE = C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
- %FP%Friendly fts.exe = "C:\Program Files\Voyager100Test\fts.exe"
- SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
- MessengerPlus3 = "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
- HostManager = C:\Program Files\Common Files\AOL\1134390626\ee\AOLHostManager.exe
Did the system32 window open when your computer rebooted?
Fenor
#9
Posted 13 February 2006 - 09:34 PM
Also check and see what entries are listed in the following folders:
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
- C:\Documents and Settings\<username>\Start Menu\Programs\Startup
#10
Posted 14 February 2006 - 07:08 AM
Thanks
#11
Posted 14 February 2006 - 07:13 AM
regedit
<enter>
navigate to
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
anything in there? wininit.exe =, perhaps?
#12
Posted 14 February 2006 - 07:33 AM
#13
Posted 14 February 2006 - 07:39 AM
LEFT click and drag the cursor over all the lines inside the quotebox below to hilight them starting with @echo off; then Copy & Paste the contents onto Notepad. Click file>save>type "runs.bat" as the name and save to your desktop. NOTE you MUST use the quotes in the name as I did else the file type will be wrong and won't run.
@echo off
if exist "%SystemDrive%\rep.txt" del "%SystemDrive%\rep.txt"
Regedit /e %SystemDrive%\LM.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Regedit /e %SystemDrive%\CU.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
type %SystemDrive%\LM.txt>>%SystemDrive%\rep.txt
echo ****************************************************************************>>c:\rep.txt
type %SystemDrive%\CU.txt>>%SystemDrive%\rep.txt
del %SystemDrive%\LM.txt
del %SystemDrive%\CU.txt
echo Go to C:\rep.txt and post a copy back to Fenor in the forum (thanks to jwbirdsong for this script)
pause
Fenor
Edited by Fenor, 14 February 2006 - 07:40 AM.
#14
Posted 14 February 2006 - 07:44 AM
Thanks
#15
Posted 14 February 2006 - 07:46 AM
if exist "%SystemDrive%\rep.txt" del "%SystemDrive%\rep.txt"
Regedit /e %SystemDrive%\LM.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Regedit /e %SystemDrive%\CU.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
type %SystemDrive%\LM.txt>>%SystemDrive%\rep.txt
echo ****************************************************************************>>c:\rep.txt
type %SystemDrive%\CU.txt>>%SystemDrive%\rep.txt
del %SystemDrive%\LM.txt
del %SystemDrive%\CU.txt
echo Go to C:\rep.txt and post a copy back to Fenor in the forum (thanks to jwbirdsong for this script)
pause
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users